an identity management and authentication scheme based on...

6688 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 69, NO. 6, JUNE 2020

An Identity Management and AuthenticationScheme Based on Redactable Blockchain

for Mobile NetworksJie Xu , Kaiping Xue , Senior Member, IEEE, Hangyu Tian, Student Member, IEEE, Jianan Hong ,

David S. L. Wei, Senior Member, IEEE, and Peilin Hong

Abstract—More and more users are eager to obtain more com-prehensive network services without revealing their private in-formation. Traditionally, in order to access a network, a user isauthorized with an identity and corresponding keys, which aregenerated and managed by the network operator. All users’ person-ally identifying information are centralized stored by the networkoperator. However, this approach makes users lose the controlof their personally identifying information. Users are concernedabout who can access these sensitive data and whether they havebeen compromised. In this paper, we propose a blockchain-basedidentity management and authentication scheme for mobile net-works, where users’ identifying information are controlled by theusers themselves. Our scheme let users generate their self-sovereignidentities (SSIs) and corresponding public keys and private keys.The private key used to authenticate the user’s identifying infor-mation is only known to the user. We use blockchain to recordSSIs and public keys of legitimate user, and adopt chameleonhash to delete illegal users’ information on the blockchain, whilekeeping the block head unchanged. Furthermore, other serviceproviders can obtain the user’s SSI and public key and authenticateusers by querying the blockchain. Experimental results confirmthat our scheme can greatly reduce the revocation overhead andcommunication overhead.

Index Terms—Identity management, mutual authentication,chameleon hash, redactable blockchain.

I. INTRODUCTION

W ITH ADVANCES in wireless communication technol-ogy, users are eager to obtain more efficient and com-

prehensive mobile network services. In order to prevent usersfrom illegally accessing or attacking the network, identity man-agement and access authentication play a critical role in mobile

Manuscript received December 15, 2019; revised February 21, 2020; acceptedMarch 27, 2020. Date of publication April 8, 2020; date of current versionJune 18, 2020. This work was supported in part by the National NaturalScience Foundation of China under Grant 61972371 and in part by the YouthInnovation Promotion Association of the Chinese Academy of Sciences (CAS)under Grant 2016394. The review of this article was coordinated by Prof.L. Zhu. (Corresponding author: Kaiping Xue.)

Jie Xu, Kaiping Xue, Hangyu Tian, and Peilin Hong are with the Departmentof Electronic Engineering and Information Science, University of Science andTechnology of China, Hefei 230027, China (e-mail: [email protected];[email protected]; [email protected]; [email protected]).

Jianan Hong is with the Huawei Shanghai Research Institute, Shanghai201206, China (e-mail: [email protected]).

David S. L. Wei is with the Department of Computer and Information Science,Fordham University, Bronx, NY 10458 USA (e-mail: [email protected]).

Digital Object Identifier 10.1109/TVT.2020.2986041

network security. In general, users can only use their creden-tials, such as identity cards, to register with their local networkoperator to obtain their unique International Mobile SubscriberIdentification Number (IMSI) and the corresponding symmetrickeys for accessing network [1].

However, there are many shortcomings in existing service-centric wireless mobile network architecture. First of all, mutualauthentication between users and operators is based on symmet-ric encryption system, which means that users can only be au-thenticated by their local network operators through symmetrickey. In order to authenticate users, the local network operatorhas to store all the authenticated users’ symmetric keys in itsAuthentication Center (AuC) [2], which is a database in its corenetwork. Each time a user accesses the mobile network, theuser’s authentication request needs to be sent to the core network.Centralized authentication leads to a single point bottleneckproblems. The security of the operator’s AuC is critical, andonce it is compromised, it may affect millions of users ofthe network. Secondly, in the service-centric wireless mobilenetwork architecture, if users want to access other networkservices, they must rely on local operators to provide theirown information to other service providers. Thus, users haveno control over how much their information is exposed. Users’identity information is very sensitive and needs to be strictlycontrolled [3]. Operator’s coarse-grained exposure of the user’sinformation for commercial benefit or other reasons may causeserious damage of privacy violation to the user. Even worse,users cannot effortlessly change their network operators withoutgiving up their original digital identities. In other words, once auser changes his or her network provider, he or she must give upthe personal information in other applications associated withthe original identity. As a result, users have less control overtheir identity, the relationship between operators and users isdifficult to change, and market competition decreases.

Self-Sovereign Identity (SSI) can be seen as an identitymanagement model where each identity is fully owned,controlled and managed by the entity to which the identitybelongs [4]. Unlike traditional identity management schemes,such as isolated identity model or federated identity model,each user can not only control the secure storage and accessof personally identifying information, but also add or deletehis/her personally identifying information. Therefore, this kind

0018-9545 © 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.

Authorized licensed use limited to: University of Science & Technology of China. Downloaded on June 20,2020 at 03:03:49 UTC from IEEE Xplore. Restrictions apply.

https://orcid.org/0000-0002-9924-4157

https://orcid.org/0000-0003-2095-7523

https://orcid.org/0000-0002-3027-1990

https://orcid.org/0000-0002-3027-1990

mailto:[email protected]






XU et al.: IDENTITY MANAGEMENT AND AUTHENTICATION SCHEME BASED ON REDACTABLE BLOCKCHAIN FOR MOBILE NETWORKS 6689

of identity management infrastructure does not need to trust anycentral authority and can exist in a decentralized environmentthat does not belong to or be controlled by a centralized authority.

Meanwhile, blockchain [5] can be treated as a public, digi-tized, and distributed ledger built on peer-to-peer network, whichhas been introduced and applied many network scenarios [6]–[9]. In blockchain system, data generated by participating enti-ties are published as a transaction, and transactions are packagedinto a block. Blocks are added to the blockchain by miners inchronological order. It is worth noting that miners who adddata are independent individuals, and there are no centralizedthird-party authorities in the blockchain. All participating enti-ties store the blockchain and periodically update the blockchain.It is easy to share information among multiple participatingentities. Blockchain helps with implementing a system with noneed of a trusted party such as a central Certification Authority(CA). Therefore, blockchain is an ideal mechanism to serve asa decentralized public publishing and query platform for users’self-sovereign identities management.

Motivated by the above observations, we introduce ablockchain-based self-sovereign identity management and au-thentication scheme to enable users to manage personally iden-tifying information. In our user-centric identity management,users generate their SSI and obtain personally identifying infor-mation associated with the SSI from distributed trusted entities.Network operators authenticate users through SSIs and theirpersonally identifying information (recorded as claim). TheSSIs and corresponding public keys of legitimate users are addedto blockchain by network operators for others to query. To defendillegal use of network services by users, user dynamic revoca-tion is an essential part of user identity management schemes.However, a trivial solution by which network operators maintainand update the revocation list requires heavy storage overhead.In order to reduce storage overhead, network operators utilizechameleon hash [10] to remove illegal users’ information onblockchain instead of maintaining revocation lists to implementdynamic user revocation.

The main contributions of this paper can be summarized asfollows:

1) We propose a self-sovereign identity management schemefor wireless mobile networks. By introducing self-sovereign identity, even if a user changes his/her operator,he/she can still retain control over his/her identity andpersonally identifying information.

2) We design a lightweight authentication protocol basedon blockchain between users and network operators orservice providers. Network operator or service providercan authenticate user and negotiate session key by query-ing blockchain. There is no need for service providerto maintain a database to save users’ keys; and the usercan authenticate with service provider without creating aredundant identity.

3) We further provide an efficient and fine-grained dynamicuser revocation method by utilizing the chameleon hash.The network operator can revoke users at any time by mod-ifying users’ register information on blockchain with noneed of maintaining the revocation list, thereby reducingthe authentication delay, and storage overhead.

The rest of this paper is organized as follows. We reviewrelated work in Section II, and introduce the system model,threat model and design goals in Section III. Then, we describethe detailed construction of our proposed scheme in Section V.Security analysis and performance evaluation are presented inSection VI and Section VII, respectively. Finally, we concludethis paper in Section VIII.

II. RELATED WORK

In this section, we discuss the related work in terms of identitymanagement and traditional authentication for wireless mobilenetworks.

A. Identity Management Scheme

Centralized infrastructures are the most common identitymanagement [11]–[13], where users’ personally identifying in-formation are controlled by an organization rather than the userhimself/herself. It means that the organization may disclosethe information of the user at any time. Once an organiza-tion‘s database is compromised, the adversary can enter intoeach user’s account. In addition, the centralized system is aclosed system, making it difficult to transfer users’ personallyidentifying information from one application to another [14].In order to solve the problem of centralization, some studieshave proposed federated identity management [15], [16]. Usersare allowed to log into multiple services within the federateddomain using one identity. Although federated identity man-agement achieve identity portability to some extent, the identityof users is still controlled and managed by federated serviceproviders. Meanwhile, there have been quite a few proposedschemes contributing to meet the user privacy protection require-ments [17]–[19]. They focus on user oriented paradigm, calleduser-centric identity management, enabling users to selectivelyauthorize personal data under various conditions and reveal thecredentials presented in response to authentication requests. Inthe literature [17], Singh et al. proposed a user-centric model,which is recorded as a privacy-aware Personal Data Storage(PDS). By active learning, PDS can automatically make privacy-aware decisions on third-party access requests based on userpreferences.

However, the user-centric model does not enable users tofully control and manage their personally identifying informa-tion, while self-sovereign identity management achieves it usingblockchain technology. Alboaie et al. [20] introduced a privatedata system, in which all private data are encrypted and stored innodes throughout the Internet. The user has full control over thedecryption key and can share and revoke access to private data atany time. After that, Othman et al. [21] combined a decentralizedSSI ecosystem with Biometric Open Protocol Standard (BOPS).In [21], any entity can access the user’s personally identifyinginformation only after successful biometric authentication. In2019, Ferdous et al. [22] aimed at giving a comprehensive andrigorous concept of self-sovereign identity. They also demon-strated several envisaged self-sovereign identity managementprocesses. However, it is just a rough idea and there is no detaileddesign. In addition, there are also several projects that combine



distributed ledger technology (DLT) and SSI, such as uPort [23],Sovrin [24] and ShoCard [25].

Although [20]–[25] can solve the problem of users’ losingthe control of their identifying information [11]–[19], theseschemes are unable to let the network operator revoke userswhenever the network operator controls users access to thenetwork. In this paper, we introduce a self-sovereign identitymanagement scheme for mobile networks. It allows the networkoperator to revoke users, while the user’s identity is still validin other service application even if the user is revoked by thenetwork operator.

B. Authentication Schemes for Wireless Mobile Networks

Due to the open access characteristics of wireless mobilenetworks, it is important to perform network access controlto thwart malicious attacks. Although public key infrastructure(PKI) has been widely used to implement mutual authenticationbetween users and servers, it is still a big challenge for PKIto establish a trust authority to manage all certificates. Recentresearch [26], [27] indicates that Identity-Based Cryptography(IBC) authentication system can eliminate heavy certificatemanagement burden based on PKI. While IBC-based worksshow great advantages for application scenarios involving de-vices with restricted resources, these work assume that a trustedcentralized Private Key Generator (PKG) exists. This means thatall participants are required to fully trust the centralized PKG togenerate private keys, which may lead to single-point bottleneck.In [28] and [29], authors propose to authenticate users by usinggroup signatures, but these schemes may not be suitable for someIoT devices with limited computing resource because of the highcomputational overhead of group signatures.

Nowadays, in order to provide users with a wider range ofnetwork services, many studies have done a great deal of work onroaming authentication, such as [29]–[32]. In these schemes, auser only have one identity and its corresponding key generatedby the local domain server for network access. When a userroams to a foreign network, the user sends access network re-quests to the foreign operator, and the foreign operator forwardsthe user‘s authentication request to user’s local domain serverfor authentication. The local domain server authenticates theuser and returns the authentication result to the foreign domainserver [29], [30]. However, since authentication of the user re-quires the participation of the user’s local server, authenticationdelay caused by communication between the foreign server andthe local server is inevitable. Thus, some research [31], [32]are committed to two-party roaming protocols, so that userauthentication does not require local network operators to beonline in real time. Unfortunately, in these schemes, the foreigndomain server cannot discover the users revoked by the localdomain in time, resulting in illegal access.

In addition, it is worth noting that all of the aboveauthentication schemes must involve the central server. Thismeans that once the central server crashes, the entire systembreaks down. Therefore, in this paper, we propose a distributedauthentication scheme, which can authenticate users at the edge

Fig. 1. System model.

of the network, thus eliminating single point bottleneck andenhancing robustness.

III. SYSTEM MODEL, THREAT MODEL, AND DESIGN GOALS

In this section, we introduce the system model, threat model,and design goals of our proposed scheme.

A. System Model

As depicted in Fig. 1, there are mainly five components, whichare described in detail as follows:� User: The user is the owner of an SSI. A user generates SSI

and its corresponding public key, uniquely and completelycontrol and manage SSI. A user can have multiple SSIs atthe same time, and there is no connection between SSIs.The user stores claims related to his/her SSI locally, andpresents them to the service provider as needed.

� Issuer: The issuers are distributed trusted entities suchas schools, banks, companies, etc. They issue verifiableclaims for certain attributes of the SSI owner. These veri-fiable claims include the issuer’s signature for verificationby others.

� Network operator: It verifies users’ verifiable claims anddetermines whether users can access the network. All par-ticipating network operators form a consortium to jointlymaintain the blockchain. Network operators can also re-voke users by modifying transactions on blockchain. Thereis an existing trust relationship between the verifier and theissuer.

� Service provider (SP): It obtains the user’s SSI and corre-sponding public key by querying the blockchain. Users canprove their own SSIs to SPs by signing with their privatekeys.

� Blockchain: It is a consortium blockchain maintained bynetwork operators for publishing users’ SSIs and pub-lic keys. Any entity can read the information on theblockchain. The transactions in a block constitute a merklehash tree, where the first layer of hash is a chameleon hash.Network operators can modify transactions while keepingblock headers unchanged.



B. Threat Model

We assume that there may be passive attack and active attackin wireless mobile networks. Active adversaries may involvemodifying messages or disrupting communications betweenuser and network operator or service provider. Typical activeattacks include replay attacks, injection attacks, DoS attacks, andDDoS attacks. An active adversary may be a user, performingvarious attacks in order to illegally occupy network resources.Unlike active attacks, passive adversaries do not actively in-terrupt user communications. The passive adversaries may getuser’s private information by eavesdropping on user messagesor by analyzing user traffic.

In addition, we assume that there are 3f + 1 network opera-tors in the consortium to maintain the blockchain, and there areno more than f malicious nodes in the consortium.

C. Design Goals

We aim to achieve a secure and efficient identity managementand authentication in wireless mobile networks. Specifically, ourdesign goals include the following:� Identity Security: For confidentiality, personally identify-

ing information interactions must be transmitted over asecure channel. Only users themselves have the privatekey corresponding to their own SSI. No adversary canimpersonate a user to apply for claims or present claims.Identity security also includes the availability of identity.Even if a user’s SSI is revoked by a network operator,the user still controls his or her SSI and related claims,which means that the user can still use his/her SSI in otherapplications.

� Mutual Authentication: The authentication scheme in-cludes mutual authentication between users and networkoperators, and also between users and SPs. Network op-erators and SPs only provide services to users who havesuccessfully authenticated. Meanwhile, users only trust theservices of network operators and SPs, which are success-fully authenticated.

� Session Key Security: After successful authentication, anetwork operator and a user negotiate a session key. Thesession keys satisfy forward security and backward secu-rity, that is, even if the current session key is compromised,the previous or subsequent session keys remain secret.

� Portability: An SSI can be used in multiple platforms atthe same time. Moreover, users can start or quit using SSIon the platforms at any time. Even if an SSI of the user isrevoked in one platform, it does not affect the SSI used inother platforms.

� Scalability: There is no single point bottleneck problem.The system can support large-scale user identity manage-ment and handle a large number of identity authenticationrequests at the same time.

IV. PRELIMINARIES

In this section, we illustrate background knowledge used inthis paper, including definition of discrete logarithm and its se-curity assumptions, chameleon hash algorithm, and descriptionof verifiable claim.

A. Discrete Logarithm

Definition 1 (Discrete Logarithm Problem (DLP)): Let Gbe a cyclic multiplicative group generated by g with the primeorder q. For any Probabilistic Polynomial Time (PPT) adversaryA, the probability of finding x ∈ Z∗q to satisfy the equationy = gx is negligible, when giving the parameters g and y.

B. Chameleon Hash

Chameleon hash was first proposed by Krawczyk and Rabinin 2000 [10]. It is an important function of chameleon signature,which was originally designed to not allow the recipient todisclose the contents of the signed information to anyone withoutthe consent of the signer. Chameleon hash can be viewed as acryptographic hash function that contains a trapdoor. If thereis no trapdoor, it is collision-resistant, but is collision tractablewith the knowledge of the trapdoor information. Later, Atenieseet al. [33] proposed an approach that uses chameleon hash toreplace the hash function in block head to make blockchainredactable. After that, Derler et al. [34] further uses policy-based chameleon hash to implement transaction-level rewriting,thereby supporting the fine-grained and controllable modifica-tion.

Next, we give the definition of chameleon hash, and then showthe detailed chameleon hash generation process in Algorithm 1,which is according to the work done by Ateniese et al. [33].

Definition 2 (Chameleon-Hash): The chameleon hash CHconsists of four algorithms (Gen,Hash, V er, Col). The algo-rithm details are as follows:� (hk, tk)← CH.Gen(1κ): The key generation algorithm

takes the security parameter κ ∈ N as input, and outputs apublic hash key hk and a secret trapdoor key tk.

� (h)← CH.Hash(hk,m; r, s): The chameleon hash al-gorithm takes the hash key hk, a message m, and (r, s),where r and s denote the random number used to generatethe hash value as input, and outputs a chameleon hash h.

� d← CH.Ver(hk,m, (h, r, s)): The verification algo-rithm takes the hash key hk, a message m, and(h, r, s) as input, and returns d = 1 if and only ifCH.Hash(hk,m; r, s) = h. Otherwise, d equals 0.

� (r,′ s′)← CH.Col(tk, h,m′): The collision finding algo-rithm takes the trapdoor key tk, a chameleon hash h, anda new message m′ as input, and returns a new pair of(r,′ s′) such that h=CH.Hash(hk,m′; r,′ s′). If (tk, h,m′)is invalid, then the algorithm returns NULL.

C. Claim

Definition 3 (Claim): Claims are assertion that describe var-ious attributes related to an entity.

Definition 4 (Verifiable Claim): Verifiable Claims are claimsmade by a third party about another entity. Verifiable claims canbe verified by the public key associated with the issuer’s SSI, andcannot be denied. An entity can have multiple verifiable claimsat the same time, and stored them locally.



Algorithm 1: Chameleon Hash.Input: Message m, public hash key y, and secret

trapdoor key x;Output: Chameleon hash h;

1: Select prime p, q where p = 2q + 1;2: Select prime g, which is a generator for the subgroup

of quadratic residues QRp of Z∗p;3: Select random value r and s, where r, s ∈ Zq;4: Compute chameleon Hash value

h = r − (yH(m||r) · gs mod p) mod q, whereH : {0, 1}∗ → Zq is a standard-collision resistanthash function;

5: return (h, r, s);

V. OUR PROPOSED SCHEME

In this section, we first give the overview of our proposedself-sovereign identity management and authentication scheme.In the following, we provide a detailed description of ourscheme, which mainly consists of five phases: InitializationPhase, Consensus Phase, User Authentication Phase, DynamicRevocation, and Payment Phases.

A. Overview

In self-sovereign identity management, users generate theirself-sovereign identities ID and the corresponding public andprivate keys (pk, sk). Before a user requests service from anetwork operator, the user should sends (ID, pk) to the issuertrusted by the network operator for verifiable claims. It is note-worthy that a user can generate several different (ID, pk, sk) tobe authenticated by different issuers to obtain multiple verifiableclaims. In order to access the network, the user provides theverifiable claim to the network operator for authorization. Thenetwork operator packages authorized users’ SSI and publickeys into a transaction. The transaction is eventually added tothe consortium blockchain maintained by network operators.After that, not only the network operator but also any thirdparty, such as a service provider, can use the user’s public keyobtained by querying the blockchain to authenticate the user.After authentication, the network operator and the user negotiatefor session keys by sharing secret parameters to ensure theprivacy of subsequent session information, and so does betweenthe service provider and the user.

If a user is detected illegally accessing network, the networkoperator who allows the user to access network can revoke theuser. More precisely, the network operator first generates a newtransaction that does not contain the revoked user‘s registrationinformation to replace the original transaction that containedthe revoked user’s registration information. Then, the networkoperator generates a chameleon hash of the new transaction,broadcasting the new transaction and the new chameleon hashparameters to other network operators in the consortium. Aftersuccessfully verifying the chameleon hash parameters, othernetwork operators replace the original stored transaction with

Algorithm 2: Operator Initialization.Input: Security parameter κ;Output: Secret trapdoor key x and public hash key y;

1: Select prime p, q, where p = 2q + 1;2: Select g, which is a generator for the subgroup of

quadratic residues QRp of Z∗p;3: Select a random value x ∈ [1, q − 1] as the secret

trapdoor key;4: Set the public hash key y = gx;5: return (x, y);

Fig. 2. User initialization.

the new one. Therefore, users on blockchain are now legitimateusers, there is no need to maintain a revocation list.

B. Details of Our Proposed Scheme

Here we give a detailed description of our proposed system,which can be divided into five phases: 1) Initialization phase,2) Consensus phase, 3) User authentication phase, 4) Dynamicuser revocation phase, and 5) Payment phase.

1) Initialization Phase: The initialization phase can be di-vided into two parts. One part is the network operator initializa-tion, which generates the network operator’s secret trapdoor keyand public hash key through Algorithm 2.

The other part is user initialization part, which is illustratedin Fig. 2. The detailed steps are described as follows.

1) User Ui generates his/her identity IDUiand the corre-

sponding public key pkUiand private key skUi

by usinga public key algorithm such as RSA. Then, the user sends(IDUi

, pkUi) to the issuer through a secure channel.

2) Upon receiving the user’s message, the issuer I firstlyverifies (IDUi

, pkUi). If IDUi

has already been registeredor it is invalid, the issuer rejects the request. Otherwise,the issuer generates a verifiable claim claim and its signa-ture σUi

= SigskI{H(IDUi

, pkUi, claim,LT )} for Ui,

where LT is the lifetime for the verifiable claim. Then,I sends {IDUi

, pkUi, claim,LT, σUi

} to Ui through asecure channel.



Algorithm 3: Transactions Generation.Input: All the authorized users‘ identities, public

keys, operator’s public hash key y;Output: Transaction txOj

;1: foreach authorized user IDUi

2: Set λij = {IDOj

Ui, pkUi

};3: end4: Set wj = {λ1j , . . ., λij};5: Set message m = {IDOj

, wj , Sigskj{H(wj)}};

6: Select random value r and s, where r, s ∈ Zq;7: Compute chameleon hash value h = r − (yH(m||r) · gs

mod p) mod q, where H : {0, 1}∗ → Zq is astandard-collision resistant hash function;

8: Set txOj= {m,h};

9: return tOj;

3) Upon receiving σUifrom the issuer, the user can

send network access requests to network operatorOj . Firstly, the user generates a timestamp ts1, andthen computes Eclaim = Enc(pkOj

, {claim,LT}) andsignature SUi

= SigskUi{H(ts1, claim,LT, σUi

)}. Fi-nally, the user sends{IDUi

, pkUi, ts1, Eclaim, σUi

, SUi}

to Oj .4) Upon receiving the message from Ui, Oj verifies whether

the timestamp ts1 is within the allowed range comparedto current time. If not, Oj rejects the request; otherwise,Oj continues to check whether the lifetime LT is withinthe allowed time. If not, Oj stops the session. Otherwise,Oj decrypts Eclaim to get the claim, and verifies thesignature SUi

. If the signature is valid, Oj authorizes Ui

to access the network.Similarly, a user can generate several SSIs and corresponding

public and private keys to obtain verifiable claims of differentissuers and store them locally. Besides, a user can use one SSI toregister with multiple network operators for authorization at thesame time. Thus, the user can hand over to different networksaccording to external network environment without changinghis/her identity.

2) Consensus Phase: After a network operator authorizes auser, the network operator adds the user’s registration informa-tion to blockchain, which is a consortium blockchain maintainedby network operators. To improve efficiency, each networkoperator periodically packs the information of its authorizedusers in a time slot into a transaction. Algorithm 3 illustratesthe detail of the process of transactions generation. After thetransaction is generated, the network operator broadcasts {tOj

}to other network operators in the consortium.

Blockchain is a distributed system that does not depend ona central authority. Therefore, an algorithm is needed to enablenetwork operators in the consortium to reach a consensus. Inour proposed scheme, the consensus of consortium blockchainis Practical Byzantine Fault Tolerance (PBFT) [35]. We assumethat there are a total of 3f + 1 network operators in the con-sortium. There is only one leader in each time period, and theleader is rotated by network operators.

Fig. 3. Structure of block with chameleon hash.

Every once in a while, network operators verify the validityof the received transaction with the corresponding (r, s). Then,each network operator multicasts the verification results of thetransactions. After the pre-prepare, prepare, commit, and replyphase of the PBFT consensus, legal transactions are added to theconsortium blockchain maintained by all network operators. It isimportant to highlight that the hash of transaction is chameleonhash. As it can be seen from Fig. 3, the first level of merkle tree isthe chameleon hash valueh, which are contained in transactions.

3) User Access Phase: After a user’s SSI and public key areadded to blockchain, the user can authenticate with a networkoperator or a service provider to negotiate a session key toencrypt communication message. The detailed process for theuser Ui to access the network operator Oj’s network is asfollows, and the process of the user Ui requiring the servicefrom SP is similar.

1) User Ui first generates random value r1, timestamp ts2,and computes signature αUi

= SigUi{H(r1, ts2)}. Then,

Ui sends {IDUi, r1, ts2, αUi

} to network operator Oj .2) Upon receiving the message from Ui, Oj first verifies

the timestamp. If ts2 is not within the allowed rangecompared to current time, Oj rejects the access request;otherwise,Oj searches for pkUi

on blockchain with IDUi.

If there is no pkUi, Oj rejects user’s access request.

Otherwise, Oj verifies the signature αUiwith pkUi

. IfαUi

is invalid, Oj stops the session; otherwise, Oj ran-domly generates the seed of session key for Ui, andtimestamp ts3. Then, Oj computes the signature βOj

=SigOj

{H(ts3, SigOj(r1), Enc(pkUi

, seed))} and thesession key SKij = H(IDUi

||IDOj||ts2||ts3||seed). Fi-

nally, Oj sends {ts3, SigOj(r1), Enc(pkUi

, seed), βOj}

to Ui.3) Upon receiving the message from Oj , Ui checks if ts3

is within the allowed range compared to the currenttime. If so, Ui queries the network operator’s public keyon blockchain, and then verifies the received signatureβOj

. If βOjis valid, Ui decrypts the Enc(pkUi

, seed)to get the seed, and computes the session key SKij =H(IDUi

||IDOj||ts2||ts3||seed); otherwise, Ui restarts

the access request.It should be pointed out that if any other service provider or

foreign network operator trusts the local network operator Oj toverify the user’s claim, the service provider or foreign networkoperator can trust the user on the blockchain added by Oj andnot verify the user’s claim again. Therefore, they can search for



Algorithm 4: Chameleon Collision.

Input: Updated message m′, chameleon hash h,operator’s secret trapdoor key x;

Output: updated (r,′ s′);1: Select a random value k ∈ [1, q − 1];2: Compute updated r′ = h+ (gk mod p) mod q;3: Compute updated s′ = k −H(m′||r′) · x mod q;4: return (r,′ s′);

pkUifrom the blockchain to authenticate user Ui, and support

the user accessing service. As a result, the user can have access tomultiple services with one identity IDUi

and the correspondingprivate key.

4) Dynamic Revocation: Considering that some users mayillegally access network, and network operators need to revokethese illegal users and prevent them from accessing network. Ingeneral, each network operator needs to maintain and period-ically update a revocation list. However, it might bring heavystorage overhead and communication overhead. In our scheme,we utilize chameleon hash to delete illegal users’ registrationinformation stored on blockchain instead of revocation list. Ifthere is no public key of a user on the blockchain, the usercan be considered as an illegal network user. In order to deletethe registration information on the blockchain, the networkoperator who authorizes users to access the network, generatesa new transaction that does not contain illegal user‘s registrationinformation in place of the transaction containing the legitimateuser’s registration information on the blockchain. After the newtransaction is verified by other network operators in networkoperator consortium, it replaces the original transaction. Thespecific transaction replacement steps are as follows:

1) If Oj needs to revoke user Ui, whose registration informa-tion is contained in txOj

,Oj first generates a new messagem′ = {IDOj

, λ1j , . . ., λi−1j , Sigskj{H(w′j)}}, where

λkj = {IDUk, pkUk

}, w′j = {IDOj, λ1j , . . ., λi−1j}. m′

is the same as m except that m′ does not contain theregistration information of Ui.

2) Oj generates chameleon hash collision with m′ and itsprivate trapdoor key. Algorithm 4 illustrates the processof the chameleon hash collision.

3) After executing Algorithm 4, Oj can obtain r′ and s′.Then, Oj generates a new transaction tx′Oj

= {m,′ h}.Oj broadcasts {txOj

,′ r,′ s′} to other operators.4) After other network operators received the new transac-

tion, they first verify whetherh is equal to r′ − (yH(m′||r′) ·gs′mod p) mod q. If so, other network operators store

the new transactions tx′Ojand delete the original transac-

tion txOj.

5) Payment Phase: Cryptocurrency can provide users andnetwork operators with more convenient and secure transactionmethods of trading. However, the processing speed of cryptocur-rency transactions is limited and transaction fees is overwhelm-ing even for small value transactions. Instead, micropaymentchannel [36] is the most promising solution to significantlyreduce transaction time and save transaction costs. As shown in

Fig. 4. The structure of Userchain.

Fig. 4, we propose to utilize micropayment channel to conductsecure payments offchain. The detail of micropayment channelcan be found in [36]. The micropayment channel scheme mainlyconsists of three steps: establish channel, update channel, andclose channel.

1) User Ui first creates a funding transaction on bitcoinblockchain. Ui pays an amount of bitcoins b0 to a P2SHoutput in funding transaction, whose 2− of − 2 multi-signature redeem script requires signatures from both Ui

andOj . The user sends the transaction toOj , andOj holdsthe bitcoin hostage. User Ui creates a refund transaction,whose input is the input of the funding transaction, and theoutput is the address of the user. User Ui sends the refundtransaction to SP for signature. IfOj checks that the refundtransaction is valid, then Oj signs the refund transactionand sends it to Ui. Finally, Ui broadcasts funding trans-action and refund transaction. The refund transaction isinvalid until the time-lock in the transaction is unlocked.Thus, the micropayment channel is established.

2) If a user needs to pay b bitcoins to Oj every minuteas service fee, then the user generates a commitmenttransaction every minute. The input of the commitmenttransaction generated by the user for the first time isthe input of the funding transaction, that is b0, and theoutput is b for Oj and b0 − b for Ui. Ui signs the firstcommitment transaction and sends it toOj . After verifyingthe commitment transaction, Oj continues to provide ser-vice. The input of the commitment transaction generatedby the user for the second time is b0, and the output is2 · b for Oj and b0 − 2 · b for the user. The user signsthe second commitment transaction and sends it to Oj .After verifying the commitment transaction, Oj continuesto provide service. So on and so forth, the input of thecommitment transaction generated by the user for the kthtime is b0, and the output is k · b for Oj and b0 − k · b forthe user.

3) After k′ times service, if b0 − (k′ + 1) · b < 0, Oj couldclose the channel. To close the channel, Oj broadcaststhe most updated commitment transaction, which is as thesettlement transaction. After the miners add the settlementtransaction to the blockchain, Oj and the user can get the



output of the settlement transaction. In this way,Oj can getk′ · b bitcoins, and user can get back b0 − k′ · b bitcoins.

It is worth noting that the settlement transaction needs to bebroadcast before the time lock takes effect. Otherwise, the mi-cropayment channel might close and all the bitcoins may returnto the user. As described above, only the funding transactionand settlement transaction are on-chain, and all commitmenttransactions are off-chain. Therefore, micropayment channelcould improve the scalability and reduce the transaction feeswhile ensuring the fairness.

VI. SECURITY ANALYSIS

In this section, we analyze the security of our proposedscheme according to the design goals described in III-C.

A. Identity Security

It is worth mentioning that in our proposed scheme, user’sidentity Ui, public key pkUi

, and private key skUiare generated

by the user him/herself. The issuer authenticates the user andissues claim and σUi

= SigskI{H(IDUi

, pkUi, claim,LT )},

which contains (IDUi, pkUi

) that cannot be tampered with byany adversary. Network operator authorizes the user and addsthe user’s (IDUi

, pkUi) to blockchain, so it cannot be tampered

with by any adversary. Thus, each legal identity of the userhas exactly one pair of authenticated (pkUi

, skUi). For any

probabilistic polynomial-time (PPT) adversary, he/she cannotderive the private key according to the corresponding publickey or encrypted messages. Moreover, the user only uses theprivate key to decrypt or sign during all authentication processes,and does not reveal the private key, so the user’s private key isonly controlled by the user. Consequently, our proposed schemeoffers identity security.

B. Mutual Authentication

In initialization phase, Ui obtains σUi, which contains IDUi

and pkUisigned by the issuer. The network operator authen-

ticates the user by verifying signature σUiand SUi

. Since theuser‘s private key is only controlled by the user and we assumethat the issuer’s private key is secure. Thus, no adversary withoutskI and skUi

can forge a feasible σUiand SUi

to pass validationby the network operator.

In user access phase, the network operator authenticates theuser by verifying the signature αUi

with the pkUi, where pkUi

isthe result of querying the blockchain with IDUi

. Since we haveproved that skUi

is only controlled by the user, without skUi, no

adversary can forge a feasibleαUi= SigUi

{H(r1, ts2)} to passvalidation by the network operator. The user authenticates thenetwork operator through the challenge-response method. As thenetwork operator’s skOj

is secure, no adversary without skOj

can forge the network operator’s signature on r1. Therefore, ourscheme achieve mutual authentication.

C. Session Key Security

In each session between the user and the network operator,operator Oj randomly generates seed for the session with ses-sion key SKij = H(IDUi

||IDOj||ts2||ts3||seed). Due to the

one-way nature of the hash, no adversary can get the seeddirectly. Adversaries can only get the seed that is encryptedby the user’s public key. Thus, no adversary without skUi

can decrypt Enc(pkUi, seed) to get seed. For this reason, no

adversary can directly intercept and decrypt the message toobtain seed. Furthermore, in each session, the seed is randomlygenerated, and thus has no correlation with the seed of theprevious session and nor with the seed of the subsequent session.This means that all session keys are independent. Even if anadversary obtains one of the session keys, he/she cannot decryptthe messages of other sessions between the user and the networkoperator. Overall, our scheme could provide session key security,including the forward security and backward security.

D. Portability

In our scheme, the user generates his/her own identity andprivate key, and sends it to the issuer for verification to obtain averifiable claim. The verifiable claim corresponding to the iden-tity is securely stored by the user him/herself, and only the usercan prove the control of the verifiable claim with his/her privatekey. Since user’s identity and verifiable claim have nothing todo with network operators and service providers, the user canalways manage and use his/her own identity and correspondingverifiable claims to other service providers to obtain services.Therefore, the user’s identity is independent of each other indifferent services. An identity can be used not only in multipleservices at the same time, but also in other services after beingrevoked by one service.

E. Scalability

There is no central authority in the proposed scheme, andusers obtain personally identifying information from distributedtrusted entities. Thus, there is no single point bottleneck prob-lem, and the system can support large-scale user identity man-agement. In addition, mutual authentication is based on the pub-lic key found on the blockchain, so the edge nodes of the networkcan authenticate users without the involvement of the centralserver. This approach improves the efficiency of authenticatingusers and supports handling large-scale authentication requests.

F. Security Comparison

We compare our scheme with four other representative au-thentication schemes for wireless mobile networks in terms ofmutual authentication, privacy preservation, session key secu-rity, dynamic revocation, portability, scalability, and centralizedtrusted authority. As shown in Table I, we conclude that only ourscheme does not need a centralized trusted authority, and stillachieves portability and scalability.



Fig. 5. Time cost for Chameleon Hash Algorithm. (a) Chameleon hash keys Generation. (b) Chameleon hash. (c) Collision generation.

TABLE ISECURITY COMPARISON WITH RELATED WORK

VII. PERFORMANCE EVALUATION

In this section, we conduct experiments to evaluate the ef-fectiveness and feasibility of our scheme. Firstly, we test theperformance of chameleon hash. Then, we compare our schemewith the scheme using revocation list in terms of revocationoverhead.

A. Chameleon Hash Algorithm Implementation

In order to show the performance of chameleon hashmore clearly, we tested the computational overhead of var-ious functions of chameleon hash. Specifically, it includeschameleon hash key generation, chameleon hash calculation,and chameleon hash collision generation. Considering that thecomputational overhead of chameleon hash key generation isequivalent to the computational overhead of the network oper-ator initialization, the methods for generating chameleon hashkeys, calculating chameleon hash, and calculating chameleonhash conflict are shown in Algorithm 2, Algorithm 1, andAlgorithm 4 respectively.

The experiment environment is a standard 64-bit Linux Mintrelease 17, Linux version 3.13.0-24-generic with Intel (R) Core(TM) i7-4790, 3.60 GHz processor. All our evaluations were per-formed by programs in C. Furthermore, the algorithms relatedto discrete logarithms and big number calculation are realizedwith OpenSSL 1.0.1f.

In order to ensure the reliability of the experiment, we definethe running time of an algorithm as the average time of executingthe algorithm 1000 times. Then, we conducted 100 experiments.

TABLE IIKEY PARAMETERS IN CRL

Therefore, we obtained 100 experimental data, and each ex-perimental data represents the average computation overheadof the algorithm running 1000 times. All experimental dataobtained are shown in Fig. 5. Fig. 5(a) represents the overheadof the network operator for chameleon hash key generationin initialization phase, and Fig. 5(b) represents the overheadof calculating the chameleon hash when the network operatorgenerates a transaction. Fig. 5(c) indicates the overhead of thenetwork operator for a chameleon hash collision generation toreplace a specific transaction. Finally, we have that the aver-age time for the network operator to generate the chameleonhash keys is 12.126 ms, the average time for calculating thechameleon hash is 0.027 ms, and the average time for generatingthe chameleon hash collision is 0.015 ms.

B. Comparison of Revocation Overhead

The most common means of user revocation is CertificateRevocation Lists (CRLs). The main contents of the CRLs includea list of triples (certificate identity, revocation time, revocationreason), and signatures of these triples signed by CAs [37].Network operators not only need to store the certificates ofthe currently valid users, but also need to store the informationabout all users who have been revoked in the past. Users needto periodically download and cache CRLs to use them whenauthenticating other users. However, in our scheme, networkoperators do not need to maintain CRLs, and users do not needto download the CRLs. Table II illuminates the key parame-ters in CRLs and certificates, which are designed according tobitcoin [5]. In addition, according to the design of the originalBitcoin block [5], we assume that the size of the block is 1 MB,and each transaction contains 1000 users’ information.

The comparison of network operator’s storage overhead oftraditional CRL-based scheme and our proposed scheme areshown in Fig. 6. In both schemes, the storage cost of the network



Fig. 6. Storage overhead.

operator increases with the increase of the number of existingusers. However, when the number of revoked users increases, theCRL-based scheme storage overhead increases and our schemeremains unchanged. In general, the storage overhead of the CRL-based scheme is much higher than the storage overhead of ourscheme.

VIII. CONCLUSION

In this paper, we proposed a self-sovereign identity manage-ment and authentication scheme for wireless mobile networks,which is based on redactable blockchain. In our user-centricidentity management, users’ identifying information is com-pletely controlled and managed by the owner, thereby reducingthe leakage of privacy. We adopted blockchain to record SSI andpublic key to achieve user authentication and session key ne-gotiation without redundant registration. Furthermore, networkoperators can dynamically revoke users access to the network,and maintain a redactable blockchain instead of using revocationlists. Performance evaluation showed that our scheme not onlyreduces the storage overhead of network operators, but alsoreduces the network access delay for users.

REFERENCES

[1] M. Khan and V. Niemi, “Privacy enhanced fast mutual authentication in 5Gnetwork using identity based encryption,” J. ICT Standardization, vol. 5,no. 1, pp. 69–90, 2017.

[2] Y. Huang, C. Shen, and S. W. Shieh, “S-AKA: A provable and secureauthentication key agreement protocol for UMTS networks,” IEEE Trans.Veh. Technol., vol. 60, no. 9, pp. 4509–4519, Nov. 2011.

[3] Y. Zhang, R. Deng, E. Bertino, and D. Zheng, “Robust and universalseamless handover authentication in 5G hetnets,” IEEE Trans. DependableSecure Comput., to be published, doi: 10.1109/TDSC.2019.2927664.

[4] K. C. Toth and A.-P. Alan, “Self-sovereign digital identity: A paradigmshift for identity,” IEEE Secur. Privacy, vol. 17, no. 3, pp. 17–27,May–Jun. 2019.

[5] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” 2008.[Online]. Available: http://www.bitcoin.org/bitcoin.pdf, Accessed on:Apr. 3, 2020.

[6] K. Gai, Y. Wu, L. Zhu, Z. Zhang, and M. Qiu, “Differential privacy-basedblockchain for industrial internet-of-things,” IEEE Trans. Ind. Informat.,vol. 16, no. 6, pp. 4156–4165, Jun. 2020.

[7] J. Xu et al., “Healthchain: A blockchain-based privacy preserving schemefor large-scale health data,” IEEE Internet Things J., vol. 6, no. 5,pp. 8770–8781, Oct. 2019.

[8] K. Gai, Y. Wu, L. Zhu, L. Xu, and Y. Zhang, “Permissioned blockchainand edge computing empowered privacy-preserving smart grid networks,”IEEE Internet Things J., vol. 6, no. 5, pp. 7992–8004, Oct. 2019.

[9] M. Liu, F. R. Yu, Y. Teng, V. C. M. Leung, and M. Song, “Distributedresource allocation in blockchain-based video streaming systems withmobile edge computing,” IEEE Trans. Wireless Commun., vol. 18, no. 1,pp. 695–708, Jan. 2019.

[10] H. Krawczyk and T. Rabin, “Chameleon signatures,” in Proc. 7th Netw.Distrib. Syst. Secur. Symp., 2000, pp. 143–154.

[11] Y. Zhang, J. Yu, R. Hao, C. Wang, and K. Ren, “Enabling efficient userrevocation in identity-based cloud storage auditing for shared big data,”IEEE Trans. Dependable Secure Comput., vol. 17, no. 3, pp. 608–619,May-Jun. 2020.

[12] Z. Liu, Z. Liu, Z. Lin, and X. Lin, “MARP: A distributed MAC layerattack resistant pseudonym scheme for VANET,” IEEE Trans. DependableSecure Comput., to be published, doi: 10.1109/TDSC.2018.2838136.

[13] K. Xue et al., “A secure, efficient, and accountable edge-based accesscontrol framework for information centric networks,” IEEE/ACM Trans.Netw., vol. 27, no. 3, pp. 1220–1233, Jun. 2019.

[14] R. Dhamija and L. Dusseault, “The seven flaws of identity management:Usability and security challenges,” IEEE Secur. Privacy, vol. 6, no. 2,pp. 24–29, Mar.-Apr. 2008.

[15] J. Carretero, G. I.-Moreno, M. V.-Cabezas, and J. G.-Blas, “Federatedidentity architecture of the European eID system,” IEEE Access, vol. 6,pp. 75 302–75 326, 2018.

[16] U. Premarathne, I. Khalil, Z. Tari, and A. Zomaya, “Cloud-based utilityservice framework fortrust negotiations using federated identity man-agement,” IEEE Trans. Cloud Comput., vol. 5, no. 2, pp. 290–302,Apr.-Jun. 2017.

[17] B. C. Singh, B. Carminati, and E. Ferrari, “Privacy-aware personal datastorage (P-PDS): Learning how to protect user privacy from externalapplications,” IEEE Trans. Dependable Secure Comput., to be published,doi: 10.1109/TDSC.2019.2903802.

[18] H. Gunasinghe and E. Bertino, “PrivBioMTAuth: Privacy preservingbiometrics-based and user centric protocol for user authentication frommobile phones,” IEEE Trans. Inf. Forensics Secur., vol. 13, no. 4, pp. 1042–1057, Apr. 2018.

[19] P. Bramhall, M. Hansen, K. Rannenberg, and T. Roessler, “User-centricidentity management: New trends in standardization and regulation,” IEEESecur. Privacy, vol. 5, no. 4, pp. 84–87, Jul.-Aug. 2007.

[20] S. Alboaie and D. Cosovan, “Private data system enabling self-sovereignstorage managed by executable choreographies,” in Proc. IFIP Int. Conf.Distrib. Appl. Interoperable Syst., 2017, pp. 83–98.

[21] A. Othman and J. Callahan, “The Horcrux Protocol: A method for decen-tralized biometric-based self-sovereign identity,” in Proc. IEEE Int. JointConf. Neural Netw., 2018, pp. 1–7.

[22] M. S. Ferdous, F. Chowdhury, and M. Alassafi, “In search of self-sovereign identity leveraging blockchain technology,” IEEE Access, vol. 7,pp. 103 059–103 079, 2019.

[23] C. Lundkvist, R. Heck, J. Torstensson, Z. Mitton, and M. Sena, “Uport:A platform for self-sovereign identity,” 2016. [Online]. Available: https://blockchainlab.com/pdf/uPort_whitepaper_DRAFT20161020.pdf, Ac-cessed on: Apr. 3, 2020.

[24] “Sovrin,” [Online]. Available: https://sovrin.org, Accessed on: Apr.3, 2020.

[25] “ShoCard,” [Online]. Available: https://shocard.com, Accessed on: Apr.3, 2020.

[26] N. Lo and J. Tsai, “An efficient conditional privacy-preserving authentica-tion scheme for vehicular sensor networks without pairings,” IEEE Trans.Intell. Transp. Syst., vol. 17, no. 5, pp. 1319–1328, May 2016.

[27] D. He, S. Zeadally, B. Xu, and X. Huang, “An efficient identity-basedconditional privacy-preserving authentication scheme for vehicular adhoc networks,” IEEE Trans. Inf. Forensics Secur., vol. 10, no. 12,pp. 2681–2691, Dec. 2015.

[28] D. He, S. Chan, and M. Guizani, “An accountable, privacy-preserving,and efficient authentication framework for wireless access net-works,” IEEE Trans. Veh. Technol., vol. 65, no. 3, pp. 1605–1614,Mar. 2016.

[29] D. He, J. Bu, S. Chan, C. Chen, and M. Yin, “Privacy-preserving uni-versal authentication protocol for wireless communications,” IEEE Trans.Wireless Commun., vol. 10, no. 2, pp. 431–436, Feb. 2011.


https://dx.doi.org/10.1109/TDSC.2019.2927664

http://www.bitcoin.org/bitcoin.pdf



https://blockchainlab.com/pdf/uPort_whitepaper_DRAFT20161020.pdf

https://sovrin.org

https://shocard.com


[30] C. Chang and H. Tsai, “An anonymous and self-verified mobile au-thentication with authenticated key agreement for large-scale wirelessnetworks,” IEEE Trans. Wireless Commun., vol. 9, no. 11, pp. 3346–3353,Nov. 2010.

[31] H. J. Jo, J. H. Paik, and D. H. Lee, “Efficient privacy-preserving authenti-cation in wireless mobile networks,” IEEE Trans. Mobile Comput., vol. 13,no. 7, pp. 1469–1481, Jul. 2014.

[32] Q. Yang, K. Xue, J. Xu, J. Wang, F. Li, and N. Yu, “AnFRA: Anonymousand fast roaming authentication for space information network,” IEEETrans. Inf. Forensics Secur., vol. 14, no. 2, pp. 486–497, Feb. 2019.

[33] G. Ateniese, B. Magri, D. Venturi, and E. Andrade, “Redactableblockchain–or–rewriting history in bitcoin and friends,” in Proc. IEEEEur. Symp. Secur. Privacy (EuroS&P), 2017, pp. 111–126.

[34] D. Derler, K. Samelin, D. Slamanig, and C. Striecks, “Fine-grained andcontrolled rewriting in blockchains: Chameleon-hashing gone attribute-based,” in Proc. 26th Netw. Distrib. Syst. Secur. Symp., 2019, doi:10.14722/ndss.2019.23066.

[35] M. Castro and B. Liskov, “Practical Byzantine fault tolerance,” in Proc.3rd Symp. Operating Syst. Design Implementation, 1999, pp. 173–186.

[36] J. Poon and T. Dryja, “The Bitcoin lightning Network: Scalableoff-chain instant payments,” 2016. [Online]. Available: https://www.bitcoinlightning.com/wp-content/uploads/2018/03/lightning-n etwork-paper.pdf, Accessed on: Apr. 3, 2020.

[37] L. Zhang et al., “Analysis of SSL certificate reissues and revocationsin the wake of Heartbleed,” in Proc. Conf. Internet Meas. Conf., 2014,pp. 489–502.

Jie Xu received the B.S. degree from the Universityof Science and Technology of China (USTC) in 2017.She is currently a Graduate Student in communicationand information System with the Department of Elec-tronic Engineering and Information Science (EEIS),USTC. Her research interests include network secu-rity and cryptography.

Kaiping Xue (Senior Member, IEEE) received theB.S. degree from the University of Science and Tech-nology of China (USTC), in 2003 and the Ph.D. de-gree from the Department of Electronic Engineeringand Information Science (EEIS), USTC, in 2007.From May 2012 to May 2013, he was a PostdoctoralResearcher with the Department of Electrical andComputer Engineering, University of Florida. Cur-rently, he is an Associate Professor in the School ofCyber security and the Department of EEIS, USTC.His research interests include next-generation Inter-

net, distributed networks and network security. He serves on the editorialBoard of several journals, including the IEEE TRANSACTIONS ON WIRELESS

COMMUNICATIONS (TWC) and the IEEE TRANSACTIONS ON NETWORK AND

SERVICE MANAGEMENT (TNSM). He is a Fellow of the IET.

Hangyu Tian received the B.S. degree from the Uni-versity of Science and Technology of China (USTC)in July, 2018. He is currently a Graduate Student incommunication and information system with the De-partment of Electronic Engineering and InformationScience (EEIS), USTC. His research interests includenetwork security and cryptography.

Jianan Hong received the B.S. degree from the Uni-versity of Science and Technology of China (USTC),in 2012 and the Ph.D. degree from the Departmentof Electronic Engineering and Information Science(EEIS), USTC, in 2018. Currently, he is a ResearchEngineer in Huawei Shanghai Research Institute,Shanghai. His research interests include secure cloudcomputing and mobile network security.

David S.L. Wei (Senior Member, IEEE) received thePh.D. degree in computer and information sciencefrom the University of Pennsylvania, in 1991. FromMay 1993 to August 1997 he was at the Faculty ofcomputer science and engineering with the Univer-sity of Aizu, Japan (as an Associate Professor andthen a Professor). He has authored and coauthoredmore than 100 technical papers in various archivaljournals and conference proceedings. He is currentlya Professor with Computer and Information ScienceDepartment at Fordham University. His research in-

terests include cloud computing, big data, IoT, and cognitive radio networks. Hewas a Guest Editor or a Lead Guest Editor for several Special Issues in the IEEEJOURNAL ON SELECTED AREAS IN COMMUNICATIONS, IEEE TRANSACTIONS ON

CLOUD COMPUTING AND IEEE TRANSACTIONS ON BIG DATA. He also servedas an Associate Editor of IEEE TRANSACTIONS ON CLOUD COMPUTING, 2014–2018, and an Associate Editor of Journal of Circuits, Systems, and Computers,2013–2018.

Peilin Hong received the B.S. and M.S. degreesfrom the Department of Electronic Engineering andInformation Science (EEIS), University of Scienceand Technology of China (USTC), in 1983 and 1986.Currently, she is a Professor and Advisor for Ph.D.candidates with the Department of EEIS, USTC. Herresearch interests include next-generation Internet,policy control, IP QoS, and information security. Shehas published 2 books and over 150 academic papersin several journals and conference proceedings.


https://dx.doi.org/10.14722/ndss.2019.23066

https://www.bitcoinlightning.com/wp-content/uploads/2018/03/lightning-n ignorespaces etwork-paper.pdf

an identity management and authentication scheme based on...

Documents